Honeypots mailing list archives
extracting syslog data out of raw pcap dumps
From: "Chris Boubalos" <boubalos () md5sa com>
Date: Thu, 5 Jun 2003 12:27:24 +0300
Hi all, Honeynet or not, if someone has a syslog server lost or compromized, there is always a chance to recoved log entries from within a raw capture. To make this easier i wrote an open source utility to extract syslog entries from a pcap dump file ( like tcpdump's save files). output is in the form of: ============================================================================ = date srcMACaddr/srcIPaddr <facilityandlevel>syslogdata i.e. Oct 14 15:33:42 00:02:A5:9C:60:1E/10.0.0.42 <13>root: blah... or Oct 14 15:35:04 00:02:A5:9C:60:1E/10.0.0.42 <13>root: blahhhhhhhhhhhhhh(incomplete) 118 bytes missing. ============================================================================ = syslog data will be on stdout while everything else is on stderr i.e. warnings and a report like: logdump-1.0 (extract syslog packets from tcpdump files) - dump file information - filename ANOTHERTEST-short snaplen 96 pcap version 2.4 syslog packets 7 filter string: udp dst port 514 In case someone finds it usefull, i would be very interested in comments and suggestions. Its at: http://www.md5sa.com/downloads/logdump/logdump-1.0.tgz http://www.md5sa.com/downloads/logdump/README ___________________ Chris Boubalos Security & Forensics Team Leader MD5 S.A. boubalos () md5sa com www.md5sa.com
Current thread:
- extracting syslog data out of raw pcap dumps Chris Boubalos (Jun 05)